This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to retrieve packets content

0

Hello everyone,

I don't know what's wrong with this portal, I am posting this question 3rd time coz first 2 times it showed post published but it didn't.

My question is, I have an hour long captured packets from 10 different devices connected to my router. I want to retrieve Audio, Video and image content with URL of the destination and any relative data from those packets. This is something concerning my kids. I would really appreciate any earliest help.

Thank you very much.

asked 28 Aug '16, 15:49

andy1970's gravatar image

andy1970
6112
accept rate: 0%


One Answer:

0

1st determine if the traffic you want to see is encrypted or in the clear. You can filter on a TCP stream by right clicking/Follow/TCP Stream, or you can craft a filter to specify all TCP/UDP conversations between the source/destinations IP addresses. By filtering the traffic down to specific user IPs, you can determine what outbound IPs are being visited and then you can do some quick reverse lookups against those IPs (either in a browser or using the CMD/Terminal tool NSlookup, example command follows - $ nslookup "ip addr"). This will give you an idea of what type of network activity is occurring.

If the traffic is not encrypted, you can go to File/Export Objects/HTTP (or whatever protocol you are interested in) and save it to a folder. Then go digging...For this export process, "Allow Subdissector to Reassemble TCP Streams" needs to be ON and can be found under Edit/Preferences/Protocols Section/TCP.

If the traffic is encrypted, good luck! You will need keys to decrypt...

answered 29 Aug '16, 10:12

BruteForce's gravatar image

BruteForce
1203
accept rate: 9%

Thank you very much, I will try my best to follow these steps. I will follow up on this question in case stuck anywhere. I really appreciate your response.

(29 Aug '16, 17:09) andy1970

After trying for hours, I justrealised, my wireshark is not capturing much from other device. It is capturing only from my Laptop. The other devices have some packets other than TCP, UDP. They have broadcasting, SSDP etc packets only. I checked everything, I am connected to same wifi as of the other devices, wireshark is also connected to the same with promiscuous mode. What's going on? What wrong I am doin here? First I see capture filter is also not working. Only display filter works. Does Wireshark have any issues with Win10?

(29 Aug '16, 19:11) andy1970

There is a lot of info on WiFi captures within the forum. Today there was a good discussion at the following link - https://ask.wireshark.org/questions/55122/capturing-with-airpcap-and-seeing-only-80211-protocol-not-tcp-or-http-or/55142

Also, try the Wiki link - https://wiki.wireshark.org/CaptureSetup/WLAN

Additionally, try searching for Wifi, 802.11, or promiscuous mode. That should cover most of the questions you would have for WiFi captures.

(29 Aug '16, 19:33) BruteForce